Welcome to the third edition of Updata – the international quarterly update from Eversheds Sutherland’s dedicated Privacy and Cybersecurity team. Updata provides you with a compilation of privacy and cybersecurity regulatory and legal updates from our contributors around the globe over the past quarter. This quarter’s report features commentary on a number of interesting developments, including: Updated guidance from the EU’s ENISA on What is “state of the art” in IT security? and a new cybersecurity standard on internet-connected consumer devices. New laws in China, including a draft...

Eversheds Sutherland, in collaboration with Microsoft, is delighted to announce the launch of our latest thought leadership papers: Cyber threats in the oil and gas sector: The cyber threat is changing and increasingly in the crosshairs is the energy sector. If you’re an oil and gas company, you can’t afford the loss of confidential information or disruption to operations. Download the whitepaper for practical suggestions on how to keep your organization safe. Data Sovereignty – the oil and gas perspective: Companies are increasingly running up against legal barriers to the free flow and...

In light of the rising tide of costly class action lawsuits brought under the Illinois Biometric Information Privacy Act (BIPA), companies that use biometrics—even, in some cases, companies outside of Illinois that do not themselves collect biometric information—should be become familiar with this statute’s strict requirements. • Even photographs, when used for security purposes like automated facial recognition, may trigger BIPA under certain circumstances. • BIPA imposes several important requirements relating to consent to collect, store, and use biometric data, as well as destruction and...

As of March 1, 2019, the New York State Department of Financial Services’ (NYDFS) cybersecurity regulation, 23 NYCRR Part 500, requires financial services institutions regulated by NYDFS to implement policies and procedures to address the cybersecurity risks posed by third-party service providers to the institutions’ nonpublic information (NPI). Learn more.

Technologies often provide solutions, if not game-changing solutions; but there is no solution that comes without its own challenges. Knowing what those potential challenges are up front is becoming increasingly critical. For both pragmatic and regulatory reasons, it is more important than ever that boards, senior executives and general counsels sufficiently understand technologies such as blockchain, artificial intelligence (AI) and integrated “smart” components to recognize their potential risks, not just their promise. In their article for Cybersecurity Law and Strategy, Eversheds...

March 1 is upon us, now what? The deadline for the NY Department of Financial Services’ “first of its kind” cyber regulation has arrived for financial services institutions to implement programs that properly evaluate and manage the data security risks posed by their vendors. To manage these risks, institutions must go beyond the traditional vendor management function and far deeper into the contracting process. Vendor management takes the forefront As part of our approach to advising clients in this new world of cyber regulation, our proprietary methodology includes the use of artificial...

On February 27, the Federal Trade Commission announced a settlement with video social networking app TikTok, in which the company agreed to pay $5.7 million for violating the Children’s Online Privacy Protection Act (COPPA), the largest fine issued under the law to date. According to the FTC, the company was aware that children under 13 were using the app but failed to obtain parental consent prior to collecting the children’s names, email addresses, and phone numbers, among other information. The FTC also alleged the company failed to inform parents of its information collection...

From the implementation of the GDPR to the passage of the CCPA, the year 2018 proved to be a monumental one for cybersecurity and data privacy. Regulators from around the world responded to devastating, large-scale cyber-attacks, and a desire for their citizens to have more control over their data, by passing a wide range of regulations aimed at protecting consumer information. These regulations varied in terms of their size and scope but the message sent in 2018 was clear: data privacy and cybersecurity protections are here to stay. The year 2019 is already proving this to be true. In the...

The start to 2019 provided scant respite from the frenetic pace of privacy and cybersecurity developments. Already this year, regulators have amended and enforced existing regulations; courts have issued significant interpretations of law; and legislators have proposed new rules aimed at increasing privacy obligations and liability for businesses. This alert highlights the pressing cybersecurity and data privacy updates from the month of January and explains what they mean for companies. Google recently received the largest fine issued under the General Data Protection Regulation (GDPR),...

After the historic defeat on 15 January of the draft withdrawal agreement (defeated deal), we consider below what the implications of a no-deal Brexit would be for data protection, and the extent to which the defeated deal would have dealt with any of those issues. We also provide a checklist of actions that businesses can take to help prepare for the outcome in default – a “no deal” Brexit. Learn more.

In a unanimous decision on January 25, 2019, the Illinois Supreme Court found that a plaintiff need not show actual harm to seek relief under the state’s Biometric Information and Privacy Act (BIPA). This is welcome news for plaintiffs’ attorneys who have already used BIPA as a vehicle to file dozens of class action lawsuits against businesses across a wide swath of industries in each of the last few years. According to the Illinois Supreme Court, there is an inherent right to privacy associated with biometric information, which can include data relating to fingerprints, retinas, gait and...

Welcome to the second edition of Updata – the international quarterly update from Eversheds Sutherland’s dedicated Privacy and Cybersecurity team. Updata provides you with a compilation of privacy and cybersecurity regulatory and legal updates from our contributors around the globe over the past quarter. You can find previous editions on our dedicated webpage.

The agency responsible for administering the General Data Protection Regulation (GDPR) recently proposed guidelines to clarify the extra-territorial scope of Europe’s sweeping new privacy law. While these guidelines are not yet finalized, they indicate that the reach of the GDPR spreads far beyond the European Union. American businesses that had concluded that they were likely exempt from the GDPR based on previous interpretations should review the new guidelines to confirm that they are not subject to the GDPR’s requirements. This need to double check the applicability is especially...

Vietnam recently issued a draft decree that clarifies the scope of its impending cybersecurity law and its impact on foreign businesses. The law is set to go into effect on January 1, 2019, though the implementation of certain requirements that impact foreign companies the most will likely be delayed. Unlike other cybersecurity and data privacy laws passed this year, which were inspired by Europe’s GDPR, Vietnam’s law emulates the cybersecurity regulations in place in China, and it creates a mechanism for the government to control the flow of information, including through a data...

Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed, affiliated and member firms (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the member firms or their controlled, managed or affiliated entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.ATTORNEY ADVERTISING - Prior results do not guarantee a similar outcome.Unless otherwise indicated, attorneys at Eversheds Sutherland (US) LLP are not certified by the Texas Board of Legal Specialization.

Subscribe

FEATURED

Check out the BreachLawWATCH app which allows easy access to data breach statutes across the United States and a growing number of jurisdictions.